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REASONS FOR REQUESTING A PRE-APPEAL BRIEF REVIEW 



Claims 21-26 and 31-32 were elected, and rejected under 35 USC 102(a) based on Vaidya 
(US Patent 6,279,1 13). Claims 3 1 and 32 were also found objectionable under 35 USC 1 12, 
second paragraph. Appellants respectfully traverse this rejection and objection as follows. 



Claim 21 recites a method of detecting intrusions. A plurality of intrusion signatures are 
stored. A multiplicity of system events having respective signatures are automatically detected. 
Each of the multiplicity of system event signatures is compared to the plxjrality of intrusion 
signatures. A number of times that each of the intrusion signatures matched the system event 
signatures is recorded. The stored plurality of intrusion signatures are automatically ordered 
based on how many times each of the intrasion signatures matched the system event signatures, 
such that the intrusion signature matching the most system event signatures is first in the order. 
A signature of a subsequent system event is subsequently compared with the plurality of 
intrusion signatures in the order. 
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Thus, claim 21 recites automatic ordering of the stored plurality of intrusion signatures 
based on how many times each of the intrasion signatures matched the system event signatures, 
such that the intrusion signature matching the most system event signatures is first in the order; 
and subsequently comparing a signature of a subsequent system event with the plurality of 
intrusion signatures in the order. The order of the signatures in the list typically impacts the time 
required to match a system event signature to a signature on the list. Because of the ordering 
recited in claim 21 (based on past experience), there is a greater likelihood that a subsequent 
system event signature will match a signature earlier on the list than later. Statistically, this will 
reduce search time through the order to find a match. This is not taught or suggested by the Prior 
Art. Vaidya discloses that an attack signature profile might include expressions A, B and C. 
Vaidya also discloses an expression list, for example, including expressions A, B and C. 
However, the ordering of Vaidya' s list is not changed based on how many times there is a match 
to each expression, and there is no suggestion of this. The Examiner's reliance on Vaidya as 
teaching this feature of claim 21 represents clear factual error. Also, the Examiner failed to make 
a prima facie case under 35 USC 102 or 103. Therefore, the rejection of claim 21 under 35 USC 
102 should be reversed, and there is no basis to reject claim 21 under 35 USC 103. Appellants 
also request the PreAppeal Board to render an opinion as to 35 USC 103. 

Claims 22 and 23 depend on claim 21. Independent claim 24 distinguishes over Vaidya 
for the same reasons that claim 21 distinguishes thereover, and claims 25 and 26 depend on claim 
24. 
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Independent claim 31 distinguishes over Vaidya for the same reason that claim 21 
distinguishes over Vaidya. In addition, claim 3 1 recites that one of the system event signatures 
does not match any of the intrusion signatures and does not correspond to an intrusion, and other 
of the system event signatures match respective ones of the intrusion signatures. The one system 
event signature is stored in association with the plurality of intrusion signatures. A number of 
times that each of the intrusion signatures matches a respective one of the system event 
signatures is recorded. A number of times that the one system event has occurred is recorded. 
The stored plurality of intrusion signatures and the one system event signature are subsequently 
ordered based on the respective number of times that have been recorded for the plurality of 
intrusion signatures and the one system event signature, such that the signature for which the 
most number of times has been recorded is first in the order. 

Thus, independent claim 3 1 recites a technique to add a new system event signature, not 
corresponding to an intrusion, to the list of intrusion signatures. The intrusion signatures and the 
one new system event signature are ordered based on the nxmiber of times they are matched. If 
the one system event occurs relatively firequently, its signature will be near to the beginning of 
the order. Statistically, this will reduce search time through the list because the search can 
terminate when the one system event signature is encountered without searching the remainder of 
the list. The Examiner did not cite any prior art for this feature of claim 3 1, so this represents 
clear error by the Examiner. Also, the Examiner failed to make a prima facie case under 35 USC 
102 or 103. Therefore, the rejection of claim 31 under 35 USC 102 should be reversed, and 
there is no basis to reject claim 3 1 under 35 USC 103. Appellants also request the PreAppeal 
Board to render an opinion as to 35 USC 103. 

Independent claim 32 distinguishes over Vaidya for the same reason that claim 31 
distinguishes over Vaidya. 
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35 use 1 12, Second Paragraph Rejection 



The Examiner objected to claims 31 and 32 because of the recitation "storing said one 
system event signature in association with said plurality of intrusion signatures" in line 8 of claim 
3 1 and Une 8 of claim 32. The Examiner asserted that there was no antecedent basis for "said 
one system event signature". Appellants respectfully traverse this rejection based on the 
following. 

The antecedent basis for "said one system event signature" is "one of said system event 
signatures" in line 5 of claim 31 and Une 5 of claim 32. ("Said one system event signature" does 
not refer to "other of said system event signatures" as asserted by the Examiner, because "other" 
is not the same as "one".) This represents clear error by the Examiner. 

Based on the foregoing, Appellants request that the Pre- Appeal Board reverse all the 
rejections of the Examiner. 



Respectfully submitted, 





Fax: 



607-429-4119 



Arthur J. Samodovitz 
Reg. No: 31,297 
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